Airport Express as an extender.


In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. So it's a good idea to audit security protocol implementations with this attack in mind. Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This script is the one that we used in the demonstration video. No need for a hard reset 4. You will have to use a more advanced setup than the default. It's possible to modify the access point router such that connected clients are not vulnerable to attacks against the 4-way handshake and group key handshake.


The utility software is now smart enough to figure out what you're trying to do, and that will force it to auto-setup as a wired ethernet extender, not wireless. For wireless extension, it's as easy as plugging in the power plug on the extender basestation wherever you want it to stay within range of the main basestation , then firing up the Utility, finding the new basestation, and following the on-screen steps to set up as an extension. It was amazing easy. All you have to do is 1. Plug it in in the room you want it in and let it recycle 2.

Go to your computer and wait a few minutes and follow the instructions. No need for a hard reset 4. Just select then network and the extend option This was so easy and quick and what an improvement in the signal strength. I read this string before buying an Airport Express today, confident that I could extend my current Time Capsule-based wireless network by attaching the new Express as a node on my wired network in a remote part of the house with bad wifi signal.

Unfortunately, it does not work. The first time I plugged an Ethernet cable into the back of the Express and waited for Airport Utility to recognize it, my entire network crashed. After restarting my cable modem and Time Capsule, re-naming and re-creating my original network, re-establishing all the settings, etc.

So naturally, I tried again, hoping I had done something careless the first time. As the evening wore on, I tried every conceivable way and every plausible setting to connect this thing to my wired network. It crashed the network every time. I have been able to successfully install the Express as a wireless range extender not connected by Ethernet , but that is not what I wanted, and is not what the manual implies when it says the WAN port of the Express is for "connecting a DSL or cable modem, OR for connecting to an existing Ethernet network".

If you are wireless extending using an Airport Extreme Can you plug in a wired device and get the network that you are extending? If I'm not totally mistaken, it is not possible to use the cable even if you want to. It's exclusively meant for uplink. Airport Express as an extender. Asked by Angela K from Clemmons Apr 28, Answered by Doug D from Indialantic Jul 1, Answered by Ahmad H from Dubai Jun 17, Note that if your device supports Wi-Fi, it is most likely affected. Our detailed research paper can already be downloaded.

As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.

This is because Android and Linux can be tricked into re installing an all-zero encryption key see below for more info. When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:.

Our attack is not limited to recovering login credentials i. In general, any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim e. Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can still be bypassed in a worrying number of situations.

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials e. At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic.

Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by some variant of our attack. In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number i.

Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice. As described in the introduction of the research paper , the idea behind a key reinstallation attack can be summarized as follows.

When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point AP will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times.

Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number nonce and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.

In our opinion, the most widespread and practically impactful attack is the key reinstallation attack against the 4-way handshake. We base this judgement on two observations. First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies. Decryption of packets is possible because a key reinstallation attack causes the transmit nonces sometimes also called packet numbers or initialization vectors to be reset to their initial value.

As a result, the same encryption key is used with nonce values that have already been used in the past. In turn, this causes all encryption protocols of WPA2 to reuse keystream when encrypting packets. In case a message that reuses keystream has known content, it becomes trivial to derive the used keystream. This keystream can then be used to decrypt messages with the same nonce. When there is no known content, it is harder to decrypt packets, although still possible in several cases e.

English text can still be decrypted. In practice, finding packets with known content is not a problem, so it should be assumed that any packet can be decrypted. As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.

Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Moreover, because GCMP uses the same authentication key in both communication directions, and this key can be recovered if nonces are reused, it is especially affected. Note that support for GCMP is currently being rolled out under the name Wireless Gigabit WiGig , and is expected to be adopted at a high rate over the next few years.

The direction in which packets can be decrypted and possibly forged depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt and forge packets sent by the client. Finally, most of our attacks also allow the replay of unicast, broadcast, and multicast frames. For further details, see Section 6 of our research paper. Note that our attacks do not recover the password of the Wi-Fi network. They also do not recover any parts of the fresh encryption key that is negotiated during the 4-way handshake.

Our attack is especially catastrophic against version 2. Here, the client will install an all-zero encryption key instead of reinstalling the real key. This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time.

When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices. The following Common Vulnerabilities and Exposures CVE identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:.

Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. Our research paper behind the attack is titled Key Reinstallation Attacks: Although this paper is made public now, it was already submitted for review on 19 May After this, only minor changes were made.

As a result, the findings in the paper are already several months old. In the meantime, we have found easier techniques to carry out our key reinstallation attack against the 4-way handshake. With our novel attack technique, it is now trivial to exploit implementations that only accept encrypted retransmissions of message 3 of the 4-way handshake. This was discovered by John A.

As a result, all Android versions higher than 6. The new attack works by injecting a forged message 1, with the same ANonce as used in the original message 1, before forwarding the retransmitted message 3 to the victim.

Please cite our research paper and not this website or cite both. You can use the following example citation or bibtex entry:.

Mathy Vanhoef and Frank Piessens. We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition FT handshake is vulnerable to key reinstallation attacks. These scripts are available on github , and contain detailed instructions on how to use them.

We also made a proof-of-concept script that exploits the all-zero key re installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone has had a reasonable chance to update their devices and we have had a chance to prepare the code repository for release.

We remark that the reliability of our proof-of-concept script may depend on how close the victim is to the real network. If the victim is very close to the real network, the script may fail because the victim will always directly communicate with the real network, even if the victim is forced onto a different Wi-Fi channel than this network.

No, luckily implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point AP , and vice versa.

In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time.

However, the security updates will assure a key is only installed once, preventing our attack. So again, update all your devices once security updates are available. Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks! Changing the password of your Wi-Fi network does not prevent or mitigate the attack. So you do not have to update the password of your Wi-Fi network. Instead, you should make sure all your devices are updated, and you should also update the firmware of your router.

Nevertheless, after updating both your client devices and your router, it's never a bad idea to change the Wi-Fi password. Yes, that network configuration is also vulnerable. So everyone should update their devices to prevent the attack!

I use the word "we" because that's what I'm used to writing in papers. In practice, all the work is done by me, with me being Mathy Vanhoef. My awesome supervisor is added under an honorary authorship to the research paper for his excellent general guidance. But all the real work was done on my own.

So the author list of academic papers does not represent division of work: Any device that uses Wi-Fi is likely vulnerable. Contact your vendor for more information, or consult this community maintained list on GitHub. First, the FT handshake is part of Additionally, most home routers or APs do not support or will not use client functionality. In other words, your home router or AP likely does not require security updates.

Instead, it are mainly enterprise networks that will have to update their network infrastructure i.

8 Answers from the Community